The human factor - safety is more than technology

No matter how good technical security measures may be, they are of little use if data, programmes and computers are handled carelessly and negligently. In addition to technology, it is therefore also crucial to consider the human factor when it comes to IT security. After all, threats can arise not only from external attacks, but also - whether consciously or unconsciously - from employees themselves.

Social engineering attacks are a good example of how the human vulnerability can be exploited. One of the most common forms of this is phishing emails - fake emails, for example from the supposed bank, which ask for account details or PIN and TAN for online banking access for verification purposes. If the victim provides the data, the fraudster can make a money transfer at the victim's expense.

But here too, the attacks are becoming increasingly sophisticated. There are more and more cases of callers requesting confidential data such as passwords or business-critical information. The caller uses insider knowledge or small talk about everyday office life to inspire confidence, confuse with technical jargon or exert pressure to obtain the desired information. If confidential data is passed on carelessly, this can cause considerable damage to a company.

Mobile devices such as laptops, smartphones or tablets, which are now part of everyday working life for many, are also a potential risk factor. In the event of loss or theft, there are not only costs for replacement, but also the risk of unauthorised access to internal company information. Further dangers lurk, for example, in email attachments that may contain malware or the use of USB sticks that allow security mechanisms at the interface between the company and the Internet to be bypassed.

As these examples show, it is essential for companies to sensitise their employees to the issue of information security. It is important to design IT security rules of conduct in such a way that they meet the real requirements of companies and employees - only then will they be accepted. Of course, this also applies to a security policy in other segments of corporate security, such as the protection of technical expertise.